-
Notifications
You must be signed in to change notification settings - Fork 19
/
Copy pathfiat-500.txt
219 lines (170 loc) · 6.87 KB
/
fiat-500.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
FIAT 500 Nuova 500C 1.2 MPi Cabriolet S&S 69 cv
===============================================
> http://www.lacentrale.fr/fiche-technique-voiture-fiat-500-ii+c+1.2+8v+69+s%5Es+lounge-2010.html
> http://www.outilsobdfacile.com/vehicle-list-compatible-obd2/fiat
> http://www.obdtester.com/ficom
> http://www.mp3car.com/forum/mp3car-technical-hardware/engine-management-obd-ii-engine-diagnostics-etc/151698-does-anyone-know-what-is-obd-ii-protocol-for-2010-s-hondas
> http://multiplex-engineering.com/tutorials/
> https://www.scantool.net/scantool/downloads/64/ecusim_5100-ug.pdf
> https://github.com/kipyegonmark/mechanic/issues/6
> https://www.dgtech.com/wp-content/uploads/2016/07/DGDiagOBDII-manual.pdf
> https://fabiobaltieri.com/2013/07/23/hacking-into-a-vehicle-can-bus-toyothack-and-socketcan/#comment-14760
- Uses 29bits (Extended) CAN BUS
- 500kb/s
- Debug arbitration ID: 0x18DB33F1
## Arbitration ID meaning example (18DAF130)
18DA: Standard identifier for physically addressed signals (the tool is asking one module for a response).
18DB: Ask all of the modules for data (functionally addressed)
F1: A “tester” is asking for the information as opposed to another module onboard
30: The destination address
## Data received from UDS (mode 22)
One is able to initiate a UDS diagnostic session by sending the following message:
```python
# 0x18DA30f1: 30 is the Steering ECU. 0x10 would be the engine
# 0x10: Diagnostic Session Control
# 0x03: Safety system diagnostic session (test all safety-critical diagnostic functions)
data = [0x2, 0x10, 0x03, 0, 0, 0, 0, 0]
can.Message(arbitration_id=0x18DA30f1, data=data, extended_id=True)
```
After this, using mode 0x22 (Read Data By Identifier), one is able to query
different types of information.
Thanks to Alexey Chernikov, AlfaOBD's creator, I was able to recover the
following information.
### ECU -> ID mappings
0x10: Engine
0x28: ABS
0x30: Steering Column
0x40: Body
### Steering column (0x30)
#### 0948
This command returns multiple data.
Here is an example (the answer is more than 8 bytes):
TX 18DA30F1 03 22 09 48 00 00 00 00
RX 18DAF130 10 08 62 09 48 00 19 C8 00 06
Here is the interpretation (thanks Alexey Chernikov)
RX[5-6]: Angle of the steering wheel
RX[7]: battery voltage (multiplied by 16)
RX[8]: vehicle speed
RX[9]: Bitfield:
0: Is engine running
1: Is key in MAR
2: Is driving mode in "City" (0 ==> Normal)
3: Is MIL on
4: Is electric steering active
5: Is steering column motor torque position sensor present
6: Is vehicle moving
### ABS (0x28)
#### 0889
RX[5]: Bitfieled:
0: Is handbrake set
#### 0885
Returns the steering wheel angle too, in two bytes.
The value is `(X <= 32767) ? X / 16 : (X - 65535) / 16`, with X being the two bytes
## Reverse engineering broadcast message
Here are the different values observed during daily usage of the car, and some
of their meanings. Output example can be found in
../can_logs/test_canmonitor_fiat500_reverse.log
Terms used here:
- RWH: Rear window heater (defogger)
- SS: Start&Stop
- SB: Driver's seatbelt
- Speed:
Speed1: High byte of speed (>= 0x10)
Speed2: Low byte of speed (< 0x10, and one digit after coma)
Example: '01 67' means 16,7 km/h (hex) => 22 km/h (dec)
### 0210a006
0210a006[4:5]: Rises with speed. Real meaning still unknown
### 0218a006
Gives 16-bit speed at each wheel if the car is running. If the
car's speed is less than 4 km/h, it gives 4 times '00 2C'
0218a006[0] => Speed1
0218a006[1] => Speed2
0218a006[2] => Speed1
0218a006[3] => Speed2
0218a006[4] => Speed1
0218a006[5] => Speed2
0218a006[6] => Speed1
0218a006[7] => Speed2
### 0628a001
0628a001[5]:
0x00 = 0b000000 => Clutch pedal released
0x10 = 0b010000 => Accelerating with clutch pedal released enough to engage
0x20 = 0b100000 => Depressing clutch pedal without accelerating
0x30 = 0b110000 => Acceleration with clutch pedal too depressed to engage
### 0810a000
0810a000[2] => Rises with force applied on brakes. Real meaning unknown. ABS
trigger ?
0810a000[2]:
0x1x: Brakes pedal almost or completely released (brake lights off)
0x3x: Brakes pedal slight depression (brake lights turn on)
0x7x: Brakes pedal normal/high depression
### 0a18a000
Seems to convey status bitfields
0a18a000[0]:
0x00 = 0b00000000 => Handbrake off
0x20 = 0b00100000 => Handbrake on
^----------- 5: Handbrake on
0a18a000[2]:
0x10 = 0b00010000 => Left front door closed, contact off
0x18 = 0b00011000 => Left front door opened, contact off
0x40 = 0b01000000 => Left front door closed, contact on (=> electricity flows)
0x48 = 0b01001000 => Left front door opened, contact on (=> electricity flows)
0xC0 = 0b11000000 => Left front door closed, Ignition
0xC8 = 0b11001000 => Left front door opened, Ignition
^--------- 3: Left front door opened
^---------- 4: ?
^------------ 6: Contact on
^------------- 7: Ignition
0a18a000[4]:
0x00 = 0b0000 => City mode deactivated
0x08 = 0b1000 => City mode activated
^------------- 3: City mode
0a18a000[6]:
0x00 = 0b00000000 => Handbrake off, RWH off
0x10 = 0b00000000 => Handbrake off, RWH on
0x20 = 0b00100000 => Handbrake on, RWH off
0x30 = 0b00110000 => Handbrake on, RWH on
^---------- 4: RWH on
^----------- 5: Handbrake on
0a18a000[7]:
Increments on 8 bits when the wheels are turning
### 0a18a001
0a18a001[4:5]: Seems to rise when electrical components are used. Real meaning
unkown
### 0a18a006
0a18a006[0] => 00 when engine is off, 01 otherwise (seems). Set at ignition
0a18a006[1] => Always 00. Real meaning unknown
0a18a006[2] => Speed1
0a18a006[3] => Speed2
0a18a006[4:5] => Like [6:7] but with different values: loops from 0x0000 to
0a18a006[6:7] 0x1fff when car is running. Real meaning unknown
### 0a28a000
0a28a000[0] => Speed1
0a28a000[1] => Speed2
0a28a000[3] ?= 0a18a000[7] => Increments on 8 bits when wheels are turning
### 0a28a006
0a28a006[2] => Speed1
0a28a006[3] => Speed2
### 0c1ca000
0c1ca000[2]:
0x28 = 0b00101000 => Any front door opened and SB disengaged, SS unavailable
0x2C = 0b00101100 => All front door closed or SB engaged, SS unavailable
0xC8 = 0b11001000 => Any front door opened and SB disengaged, SS off
0xCC = 0b11001100 => All front door closed or SB engaged, SS off
0xE8 = 0b11101000 => Any front door opened and SB disengaged, SS on
0xEC = 0b11101100 => All front door closed or SB engaged, SS on
^-------- 2: All front door closed or SB engaged
^----------- 5: SS on
^------------ 6: SS available )
^------------- 7: SS available (?)
### 0c28a000
Date readeable in hexadecimal
0c28a000[0]: Hour
0c28a000[1]: Minute
0c28a000[2]: Day
0c28a000[3]: Month
0c28a000[4]: Year1
0c28a000[5]: Year2
Example:
> 0c28a000 21 02 24 05 20 17
> May, 24th 2017 - 9:02PM